Use automatic DH ephemeral parameters instead of fixed 512 bit.

Based on OpenSSL.

1 files changed, 23 insertions, 38 deletions

diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 6f87819d1e..5987f76e1c 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.3 2014/10/22 13:54:03 jsing Exp $ */
+/* $OpenBSD: s_server.c,v 1.4 2014/10/31 16:56:00 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -190,40 +190,10 @@ generate_session_id(const SSL * ssl, unsigned char *id,
     unsigned int *id_len);
 #ifndef OPENSSL_NO_DH
 static DH *load_dh_param(const char *dhfile);
-static DH *get_dh512(void);
 #endif
 
 static void s_server_init(void);
 
-#ifndef OPENSSL_NO_DH
-static unsigned char dh512_p[] = {
-        0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
-        0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
-        0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
-        0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
-        0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
-        0x47, 0x74, 0xE8, 0x33,
-};
-static unsigned char dh512_g[] = {
-        0x02,
-};
-
-static DH *
-get_dh512(void)
-{
-        DH *dh = NULL;
-
-        if ((dh = DH_new()) == NULL)
-                return (NULL);
-        dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
-        dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-        if ((dh->p == NULL) || (dh->g == NULL))
-                return (NULL);
-        return (dh);
-}
-#endif
-
-
 /* static int load_CA(SSL_CTX *ctx, char *file);*/
 
 #define BUFSIZZ 16*1024
@@ -1149,15 +1119,22 @@ bad:
                 else if (s_cert_file)
                         dh = load_dh_param(s_cert_file);
 
-                if (dh != NULL) {
+                if (dh != NULL)
                         BIO_printf(bio_s_out, "Setting temp DH parameters\n");
-                } else {
-                        BIO_printf(bio_s_out, "Using default temp DH parameters\n");
-                        dh = get_dh512();
-                }
+                else
+                        BIO_printf(bio_s_out, "Using auto DH parameters\n");
                 (void) BIO_flush(bio_s_out);
 
-                SSL_CTX_set_tmp_dh(ctx, dh);
+                if (dh == NULL)
+                        SSL_CTX_set_dh_auto(ctx, 1);
+                else if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
+                        BIO_printf(bio_err,
+                            "Error setting temp DH parameters\n");
+                        ERR_print_errors(bio_err);
+                        DH_free(dh);
+                        goto end;
+                }
+
 #ifndef OPENSSL_NO_TLSEXT
                 if (ctx2) {
                         if (!dhfile) {
@@ -1170,7 +1147,15 @@ bad:
                                         dh = dh2;
                                 }
                         }
-                        SSL_CTX_set_tmp_dh(ctx2, dh);
+                        if (dh == NULL)
+                                SSL_CTX_set_dh_auto(ctx2, 1);
+                        else if (!SSL_CTX_set_tmp_dh(ctx2, dh)) {
+                                BIO_printf(bio_err,
+                                    "Error setting temp DH parameters\n");
+                                ERR_print_errors(bio_err);
+                                DH_free(dh);
+                                goto end;
+                        }
                 }
 #endif
                 DH_free(dh);